FirstBlood-#440 — Anyone can register as a doctor due to weak Invite key
This issue was discovered on FirstBlood v2 (issues patched)
On 2021-10-25, newrouge Level 3 reported:
Hey, As it was mentioned in scope that doctor registration is testing phase so i guesses it might be vulnerable state. So i figured out that anyone can register as doctor with "INVITE-KEY: test".
- Go to /register.php
- Pick a username and put test as invitecode.
- You have successfully registered and can access doctor panel with username and password provided.
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.